Doomjuice.B Variant Builds on MyDoom Mayhem

A new variant of the Doomjuice worm has been reported by antivirus research firm
F-Secure. The worm, dubbed Doomjuice.B, attacks Microsoft's Web site, much like
its predecessor, Doomjuice.A.

Although it has similar characteristics to the previous worm, Doomjuice.B
is smaller and does not contain any of the source code found in the related
Mydoom.A, now widely considered to be the most virulent computer worm ever.

However, its small size and lack of source code do not mean the B variant is
harmless. The worm is designed to improve the distributed denial-of-service attack
on Microsoft and keep battering at the company's well-protected gates.

Opportunistic Infection

Mikko Hypponen, director of antivirus research in
F-Secure's Helsinki,
Finland, office, told the E-Commerce Times that Doomjuice does not spread through e-mail.
Rather, it uses a backdoor left open by MyDoom.

"If someone has MyDoom on their computer," he said, "it's likely that
they'll also have Doomjuice as well."

He added that the similarity of the two worms suggests they were
written by the same people.

The first version of Doomjuice and another worm called Deadhat both
began spreading February 9th. They have had limited impact because
most companies have cleaned systems that were infected with MyDoom.

Network Associates has estimated only about 50,000 to 75,000 machines are
still infected, so any Doomjuice attack would be on a much smaller scale
than the MyDoom debacle.

Only the Beginning

Doomjuice and Deadhat are the first reported opportunistic worms, but they
will not be the last.

Already, F-Secure has uncovered a variant of a Trojan, Mitglieder.H, that
exploits the MyDoom backdoor. Mitglieder.H contains several HTTP links that
it can use to download and execute programs. Right now, the links lead to Web
pages that are inaccessible, so the worm will not download anything.

An anti-MyDoom variant also has cropped up in Japan. A
variant of the Welchi worm, it copies itself onto infected systems and
tries to remove MyDoom while also attempting to download security patches.

In its report on Mitglieder.H, F-Secure noted, "It seems to be the morning
of MyDoom-exploiting worms."

Tougher Worm

The way Doomjuice.B works is slightly different and therefore more dangerous
than its A-variant predecessor. Hypponen said both variants copy themselves
into the Windows System Directory and attack the Microsoft site via the
HTTP protocol.

However, the B worm has a twist that makes it more effective.

"It improves the attack because it sets random HTTP headers," Hypponen said.
"The A variant didn't do this. Randomizing the headers makes it harder to filter
the traffic and avoid the attack that way."

The appearance of Doomjuice.B also coincides with a change to its predecessor. The
A variant's attack against Microsoft was designed to sleep for a random interval
before launching an attack. If an infected machine is rebooted on February 12th
or later, an attack is immediate.

Boon for Security?

William Stearns, an instructor of perimeter security courses at
The SANS Institute, told
the E-Commerce Times that the presence of so many worms and their variants
may pose a threat to Microsoft and other other targets, but could be a
good thing for companies that provide security audits.

"People are starting to think about how strong they'd be if they were
attacked," he said. Because of this, there may be an increase in business
for assessment software, security consulting and employee education
efforts.

"Everything that's going on makes you think about your vulnerabilities,"
Stearns said, "and I think we're going to see companies more focused on
how to defend themselves."